Static build CKB's release with openssl 3

[eval-exec]

Feature Request

Is your feature request related to a problem? Please describe.

The OpenSSL 1.1.1 series has reached its End of Life, so it's time for us to transition to OpenSSL 3 since CKB is statically built with OpenSSL 1.1.1.

ckb/.github/workflows/package.yaml

Lines 113 to 115 in 6c6ea88

	export OPENSSL_LIB_DIR=${TOP_DIR}/openssl-1.1.1
	export OPENSSL_INCLUDE_DIR=${TOP_DIR}/openssl-1.1.1/include
	PKG_CONFIG_ALLOW_CROSS=1 CC=gcc CC_aarch64_unknown_linux_gnu=aarch64-linux-gnu-gcc cargo build --target=aarch64-unknown-linux-gnu --release --features portable

ckb/.github/workflows/package.yaml

Line 198 in 6c6ea88

make OPENSSL_STATIC=1 OPENSSL_LIB_DIR=/usr/local/opt/openssl@1.1/lib OPENSSL_INCLUDE_DIR=/usr/local/opt/openssl@1.1/include ${{ matrix.build_target }}

ckb/.github/workflows/package.yaml

Line 257 in 6c6ea88

make OPENSSL_STATIC=1 OPENSSL_LIB_DIR=/opt/homebrew/opt/openssl@1.1/lib OPENSSL_INCLUDE_DIR=/opt/homebrew/opt/openssl@1.1/include ${{ matrix.build_target }}

We should also consider upgrading the ckb-docker-builder:

https://github.com/nervosnetwork/ckb-docker-builder/blob/8ce6f4d4a073be833ef07f6a61d038eeb12b5780/centos-7/Dockerfile#L11-L12

[doitian]

Related: nervosnetwork/ckb-cli#566

[eval-exec]

We can't use centos-7 to build openssl 3.1.3, since openssl 3.1.3 need GLIBC_2.18 at least, but centos-7 only provide GLIBC 2.17:

• When I try to build openssl 3.1.3 on nervos/ckb-docker-builder:centos-7-rust-1.71.1, this error occured:

Caused by:
  process didn't exit successfully: `/ckb/target/prod/build/openssl-sys-9f0e66e82e308245/build-script-main` (exit status: 1)
  --- stderr
  /ckb/target/prod/build/openssl-sys-9f0e66e82e308245/build-script-main: /lib64/libc.so.6: version `GLIBC_2.25' not found (required by /ckb/target/prod/build/openssl-sys-9f0e66e82e308245/build-script-main)
  /ckb/target/prod/build/openssl-sys-9f0e66e82e308245/build-script-main: /lib64/libc.so.6: version `GLIBC_2.27' not found (required by /ckb/target/prod/build/openssl-sys-9f0e66e82e308245/build-script-main)
  /ckb/target/prod/build/openssl-sys-9f0e66e82e308245/build-script-main: /lib64/libc.so.6: version `GLIBC_2.18' not found (required by /ckb/target/prod/build/openssl-sys-9f0e66e82e308245/build-script-main)
warning: build failed, waiting for other jobs to finish...
error: /lib64/libc.so.6: version `GLIBC_2.25' not found (required by /ckb/target/prod/deps/libnumext_constructor-034cd93ffbc6e1e3.so)

❯ docker run --rm -it nervos/ckb-docker-builder:centos-7-rust-1.71.1 bash                                 
[root@9574b0e79d5a /]# ldd --version
ldd (GNU libc) 2.17
Copyright (C) 2012 Free Software Foundation, Inc.
This is free software; see the source for copying conditions.  There is NO
warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.
Written by Roland McGrath and Ulrich Drepper.

[doitian]

try newer version of devtoolset and llvm-toolset

[eval-exec]

try newer version of devtoolset and llvm-toolset

Thank you.

[eval-exec]

@doitian I just found out that the easiest way to make ckb binary statically link SSL is to enable the openssl-vendored feature of the tentacle package.

[eval-exec]

If we enable openssl-vendored feature for tentacle, then we won't need to compile openssl in ckb-docker-builder anymore.